Privilege reference
Privilege reference
In the Coveo privilege system, each domain can be associated to one or more access level to form a privilege, which allows an API key or a group of users to perform certain operations in the Coveo Administration Console. See Manage privileges and Navigate the "Privileges" tab for more information.
However, although many domains offer a View and an Edit access level, the abilities represented by these access levels may differ from domain to domain. Some domains also offer different access level options such as Allowed or Push. So, to help you grant the appropriate privilege to groups of users or API keys, this page details what your grantee can do when granted each access level option for each domain. In the Coveo Administration Console, domains of privilege are grouped by service, and this page uses the same arrangement. Use the In this article menu on the right side of the page to browse the services and domains.
|
The operation of granting privileges isn’t to be taken lightly, as insufficient privileges can hinder task accomplishment, while inadequate or unnecessary privileges could lead to accidents or misuse. When allowed to delegate powers, you should have a good understanding of how the Coveo privilege system works and be well aware of the implications of each choice you make. In this regard, we recommend thoroughly reading the privilege documentation before granting privileges or editing a privilege set, and enforcing the principle of least privilege, that is, granting just enough privileges for the grantee to perform their tasks (see Manage privileges and Principle of Least Privilege). |
In the following tables, the typical grantees associated to a privilege are mostly the built-in groups or group templates that are granted this access level by default (see built-in groups comparison tables). However, they could also include typical groups of users that should have the privilege granted to them (for example, support agents). Members of the Administrators group are always granted the highest access level. Similarly, the Typical grantee column shows which API key templates are granted each access level.
Analytics service
Administrate domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
Allowed |
|
|
Analytics data domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Push |
|
|
Push and view |
|
Administrators |
Data exports domain
|
|
The Data exports domain access levels are ineffective without the View access level on the Analytics data domain |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range |
|
Edit |
|
|
Data health domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
Administrators |
Delete user data domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
Allowed |
Delete usage analytics user data
|
Administrators |
Dimensions domain
|
|
The Dimensions domain access levels are ineffective without the View access level on the Analytics data domain. |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
Analytics viewers |
Edit |
Add, edit, or delete dimensions created by Coveo organization members |
|
Impersonate domain (analytics)
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
Allowed |
Allow a custom process or bot to push usage analytics events with different identities |
|
Named filters domain
|
|
The Named filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains. |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View named filters |
Analytics viewers |
Edit |
|
Permission filters domain
|
|
The Permission filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains. |
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
View |
View permission filters restricting the usage analytics data that analysts can review in reports
|
|
||
Edit |
|
Administrators |
Property domain
|
|
The Property domain access levels are ineffective without the View access level on the Analytics data domain. |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View properties that manage tracking IDs across different sites or applications |
|
Edit |
Add a property to register a new tracking ID, or edit or delete an existing property. |
|
Reports domain
|
|
The Reports domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains. |
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
View |
View usage analytics reports (dashboards and explorers) |
Analytics viewers |
||
Edit |
Add, edit, or delete usage analytics reports (dashboards and explorers)
|
|
Snowflake management domain
|
|
The Edit access level is ineffective without the Allowed access level on the Administrate domain. |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
|
|
View all reports domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
Allowed |
View all reports, regardless of report accesses. Members that don’t have this access level can only review the reports they’re explicitly allowed to access.
|
|
Commerce service
Catalog domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View catalog entities and catalog configuration |
|
Edit |
Add, edit, or delete catalog entities |
Administrators |
Merchandising hub domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View Search, Product listings, and Recommendations managers |
|
Edit |
Add, edit, or delete Search, Product listings, and Recommendations managers |
Administrators |
Content service
Connectivity diagnostic logs domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
Crawling Module domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
View |
|
Content managers |
||
Edit |
This access level allows a Crawling Module instance to report its status to Coveo. This status is then displayed on the Crawling Modules (platform-ca | platform-eu | platform-au) page. Granting this access level to groups of users doesn’t give them any additional capabilities. |
|
Crawling Module log request domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
View |
Granting this privilege to groups of users or API keys doesn’t give them any additional capabilities. |
|||
Edit |
|
Administrators |
Extensions domain
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
View all |
View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues. |
||
View |
View the code and usage statistics of the specified extensions. This is especially useful when troubleshooting cases such as item indexing issues. |
||
Edit |
Add code snippets to apply transformations to indexed items such as adding or modifying metadata. We recommend that you grant this privilege to developers only. |
||
Edit all |
Add code snippets to apply transformations to indexed items such as adding or modifying metadata. We recommend that you grant this privilege to developers only. |
|
|
Fields domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View fields and field configuration |
Users |
Edit |
|
|
Logical indexes domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
|
|
Push identities to security providers domain
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
Custom |
Allow |
Use the Push API to add, update, or disable security identities in the specified security identity providers |
|
Allow for all providers |
Use the Push API to add, update, or disable security identities in any security identity provider |
||
Push items to sources domain
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
Custom |
Allow |
|
|
Allow for all sources |
|
||
Security identities domain
|
|
The Security identities domain access levels are ineffective without the View access level on the Security identity providers domain. |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
Only required by certain API calls (for example, enable all disabled entities in security cache). Granting this access level to groups of users doesn’t give them any additional capabilities. |
Administrators |
Security identity providers domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
Administrators |
Source metadata domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
View |
View a sample of the metadata discovered while indexing a source
|
Administrators |
Sources domain
|
Notes
|
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
View all |
|
Users |
|
View |
|
||
Edit |
|
||
Edit all |
|
|
|
|
|
The Edit access level on the Sources domain does not grant the ability to push or stream items to Push and Catalog sources. |
Customer service
Case Assist configuration domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View elements of the Case Assist (platform-ca | platform-eu | platform-au) page |
|
Edit |
Manage elements of the Case Assist (platform-ca | platform-eu | platform-au) page |
Administrators |
Use Case Assist domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
Allowed |
Leverage case assist configurations in support cases |
|
Insight Panel configuration domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View elements of the Insight Panel (platform-ca | platform-eu | platform-au) page |
|
Edit |
Manage elements of the Insight Panel (platform-ca | platform-eu | platform-au) page |
Administrators |
Insight Panel interface domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View an Insight Panel interface in a Customer Relationship Management (CRM) system |
|
Edit |
Create, update, or delete an Insight Panel interface |
Administrators |
Insight Panel items domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View items relevant to a case using the Insight Panel interface |
|
Insight Panel User Actions domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View user actions relevant to a case using the Insight Panel interface |
|
Knowledge service
Answer manager domain
|
|
Both the Edit and View access level on the Answer manager domain allows the member to view all generated answers for which feedback exists in an answer configuration in the Answer Manager. This may include content to which the member may not have access to otherwise through the repository’s permission system. Exercise caution when granting this privilege to members. |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
|
|
Chunk inspector domain
|
|
The Enable access level on the Chunk inspector domain allows the member to view all segments of text (chunks) used during answer generation, as well as the chunks for a given indexed item. This may include content to which the member may not have access to otherwise through the repository’s permission system. Exercise caution when granting this privilege to members. |
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
Enable |
Access the Knowledge Hub’s Chunk Inspector to view the segments of text (chunks) used for a generated answer or a specific item. |
|
Knowledge hub domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
Enable |
Access the Coveo Knowledge Hub |
|
Machine learning service
Allow content preview domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
Enable |
Inspect the resources available to create content-based Coveo Machine Learning models
|
|
Models domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View Coveo Machine Learning models |
|
Edit |
Add, edit, or delete machine learning models, and therefore optimize search results relevance and search experience in general |
|
User profiles domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View the Coveo Machine Learning user profile made for each user or visitor ID |
|
Edit |
Edit the Coveo Machine Learning user profile made for each user or visitor ID |
Administrators |
Organization service
API keys domain
|
|
Note
This domain is only available when configuring groups, as API keys can’t be granted the privilege to view or edit other API keys. |
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
View all |
View in read-only mode the configuration of all API keys |
|
|
View |
View in read-only mode the configuration of specific API keys |
||
Edit |
|||
Edit all |
Administrators |
||
Activities domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
View |
|
|
||
Edit |
Administrators |
Critical updates domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
Access the list of available critical updates |
|
Edit |
Enable/disable critical updates in the organization |
Administrators |
Customer keys domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
Access the list of available BYOK encryption keys |
|
Edit |
Add, activate, or delete BYOK encryption keys |
Administrators |
Groups domain
|
Leading practice
Grant the Edit or Edit all access level for the Groups domain only to a few people, ideally the authority in your company that manages access rights in corporate systems. |
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
View all |
|
Analytics managers |
|
View |
View groups, including their privileges |
|
|
Edit |
Relevance managers |
||
Edit all |
Administrators |
||
|
|
Note
For the preceding grantees, by default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups. |
|
The Edit all access level is especially potent since grantees can use it to add anyone, including themselves, to any organization group. This can lead to privilege escalation |
Link domain
See Privileges required to manage snapshots for details on the privileges you need to use the resource snapshot feature.
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
Administrators |
Notifications domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
||
Edit |
Administrators |
On-premises administration domain
The privileges of this domain are required by the Coveo Crawling Module API keys only. Granting these privileges to groups of users doesn’t give them any additional capabilities.
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
View |
||||
Edit |
This access level, when granted to a Coveo Crawling Module API key, allows the Crawling Module to communicate with Coveo. Granting it to users or groups doesn’t give them any additional capabilities. |
|
Organization domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
Administrators |
Projects domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
Administrators |
Single sign-on identity provider domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
||
Edit |
Administrators |
Snapshots domain
See Privileges required to manage snapshots for details on the privileges you need to use the resource snapshot feature.
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
|
|
Edit |
|
|
Temporary access domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View who at Coveo has asked for and been granted temporary access to your organization, as well as the privileges they were granted |
|
Edit |
Revoke temporary access to your organization |
Administrators |
Vault entry domain
See Privileges required to manage snapshots for details on the privileges you need to use the resource snapshot feature.
|
|
Note
To import sensitive information in your destination organization, you must have both of the following privileges:
|
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
Import sensitive information (in the origin organization) |
|
Edit |
|
Administrators |
Search service
Execute queries domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
Allowed |
For organization members and API keys to send queries and get search results in search pages connected to their Coveo organization |
|
Expression validation result domain
Required to use an upcoming feature. Granting privileges on this domain doesn’t give the grantee any additional capabilities yet.
Impersonate domain (search)
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
Allowed |
Obtain a search token for a search interface that replicates a permission system to execute queries and send usage analytics events as a specific user. See Use search token authentication for more information.
|
|
Modify authentication provider domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
Allowed |
Manage authentication for sources that index permissions, such as when they’re secured with SharePoint claims-based identities |
Administrators |
Query logs domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
In your consumption dashboard, download a list of the queries performed in a hub during a certain month |
Administrators |
Query pipelines domain
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
View all |
|||
View |
|
||
Edit |
|||
Edit all |
|
|
|
Query pipeline preview domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
Review how changes to result ranking rules affect search results on the Preview test search page. |
|
Replay any query domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
Replay a query through the Relevance Inspector. |
|
Salesforce index configuration domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
||
Edit |
Link a Coveo organization to a Salesforce organization that uses a Salesforce index |
Administrators |
Search pages and IPX domain
| Access level | Grantee abilities | Typical grantees | |
|---|---|---|---|
View |
Access all the hosted search pages and In-Product Experiences (IPX) in the Coveo organization |
|
|
Edit |
|
Administrators |
|
|
|
The Edit access level is a sensitive privilege which is typically granted only to administrators. This privilege should remain limited to avoid being exploited by malicious users who could enter unwanted code and put search page users at risk. |
Search usage metrics domain
| Access level | Grantee abilities | Typical grantees |
|---|---|---|
View |
View the Consumption dashboard |
Relevance managers |
Edit |
Edit the entitlement metric of a search hub in the Consumption dashboard |
Administrators |
View all content domain
| Access level | Grantee abilities | Typical grantees | ||
|---|---|---|---|---|
Allowed |
|
Administrators |
Built-in group comparison tables
The following tables compare the privileges granted to each built-in group or group template.
Analytics service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
Allowed |
- |
- |
- |
- |
- |
Allowed |
|
Push and view |
View |
View |
- |
View |
- |
View |
|
Edit |
Edit |
Edit |
- |
Edit |
- |
View |
|
View |
View |
View |
- |
View |
- |
View |
|
Allowed |
- |
- |
- |
- |
- |
- |
|
Edit |
Edit |
View |
- |
Edit |
- |
View |
|
Allowed |
- |
- |
- |
- |
- |
- |
|
Edit |
Edit |
View |
- |
Edit |
- |
- |
|
Edit |
View |
View |
- |
View |
- |
View |
|
Edit |
Edit |
View |
- |
Edit |
- |
Edit |
|
Edit |
Edit |
View |
- |
- |
- |
Edit |
|
Validate event |
View |
View |
View |
- |
View |
- |
- |
Allowed |
Allowed |
- |
- |
Allowed |
- |
Allowed |
Commerce service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
Edit |
- |
- |
- |
- |
- |
- |
|
Merchandising hub |
Edit |
- |
- |
- |
- |
- |
- |
Product listing |
Edit |
- |
- |
- |
- |
- |
- |
Content service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
View |
- |
- |
View |
- |
- |
- |
|
Edit |
- |
- |
View |
- |
View |
View |
|
Edit |
- |
- |
- |
- |
- |
- |
|
Edit all |
- |
- |
Edit all |
- |
- |
- |
|
Edit |
- |
- |
Edit |
View |
View |
View |
|
Edit |
- |
- |
Edit |
- |
- |
- |
|
Allow for all providers |
- |
- |
Allow for all providers |
- |
- |
- |
|
Allow for all sources |
- |
- |
Allow for all sources |
- |
- |
Allow for all sources |
|
Edit |
- |
- |
Edit |
- |
- |
- |
|
Edit |
- |
- |
Edit |
- |
- |
- |
|
View |
- |
- |
- |
- |
- |
- |
|
Edit all |
- |
- |
Edit all |
- |
View all |
View all |
"Customer service" service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
Edit |
- |
- |
- |
- |
- |
Edit |
|
View |
- |
- |
- |
- |
- |
View |
|
Edit |
- |
- |
- |
- |
- |
Edit |
|
Edit |
- |
- |
- |
- |
- |
Edit |
|
View |
- |
- |
- |
- |
- |
View |
|
Allowed |
- |
- |
Allowed |
Allowed |
Allowed |
Allowed |
"Knowledge" service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
Edit |
- |
- |
- |
- |
- |
Edit |
|
Enable |
- |
- |
- |
- |
- |
Enable |
|
Enable |
- |
- |
- |
- |
- |
Enable |
Machine learning service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
Allowed |
- |
- |
- |
Allowed |
- |
Allowed |
|
Edit |
- |
- |
- |
Edit |
- |
View |
|
Edit |
- |
- |
- |
- |
- |
View |
Organization service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
Edit all |
- |
- |
View all |
View all |
- |
- |
|
Edit |
- |
- |
View |
View |
- |
- |
|
Edit |
View |
- |
View |
View |
- |
- |
|
Edit all |
View all |
- |
Custom |
Custom |
- |
- |
|
Edit |
Edit |
- |
Edit |
Edit |
- |
- |
|
Edit |
- |
- |
- |
- |
- |
- |
|
Edit |
- |
- |
- |
- |
- |
- |
|
Edit |
View |
View |
View |
View |
View |
View |
|
Edit |
View |
View |
View |
View |
View |
View |
|
Edit |
- |
- |
- |
- |
- |
- |
|
Edit |
Edit |
- |
Edit |
Edit |
- |
- |
|
Edit |
- |
- |
- |
- |
- |
- |
|
Edit |
View |
- |
View |
View |
- |
- |
Search service
| Domain | Administrators | Analytics Managers | Analytics Viewers | Content Managers | Relevance Managers | Users | Knowledge Managers |
|---|---|---|---|---|---|---|---|
Allowed |
- |
- |
Allowed |
Allowed |
Allowed |
Allowed |
|
View |
- |
- |
- |
- |
- |
- |
|
Allowed |
- |
- |
- |
- |
- |
- |
|
Allowed |
- |
- |
- |
- |
- |
- |
|
View |
- |
- |
- |
- |
- |
- |
|
Query pipeline preview |
View |
- |
- |
- |
- |
- |
- |
Edit all |
- |
- |
- |
Edit all |
- |
- |
|
Replay any query |
View |
- |
- |
- |
- |
- |
- |
Edit |
- |
- |
- |
- |
- |
- |
|
Edit |
- |
- |
- |
- |
View |
View |
|
Edit |
- |
- |
- |
View |
- |
- |
|
Allowed |
- |
- |
- |
- |
- |
- |
Very useful
Not really
Very useful
Not really